2

It's pretty straightforward question, I have a certificate issued by DigiCert, already installed it on my origin, and I want to use it for the CDN.

I'm starting to configure Akamai CDN in front of my origin, but they say they will purchase a certificate for me to be installed on their nodes, and I'm wondering why they wouldn't use the same certificate I have.

I found an option on CloudFlare to upload my own certificate, however I didn't test it yet, so I'm not sure if it will work there.

Does anyone have an experience with either of those CDNs or have a technical explanation on why if this is really not possible?

MMSs
  • 123
  • 1
  • 6

3 Answers3

3

Most websites using a CDN make use of a subdomain (e.g. cdn.yourwebsite.com) in order to deliver static assets from. This means that in order to deliver CDN assets over SSL you will need a certificate for the "cdn" subdomain.

If you already have an SSL certificate installed on your origin, its likely that it is valid for yourwebsite.com and www.yourwebsite.com but not cdn.yourwebsite.com

Therefore you have a few options:

  • Purchase an SSL certificate for cdn.yourwebsite.com
  • Purchase a wildcard certificate that is valid for *.yourwebsite.com
  • Use a CDN which supports Lets Encrypt and provides you with a free SSL certificate for your "cdn" subdomain.

I would recommend taking a look at cdncomparison for more information regarding the differences that exists between popular CDN providers.

CodyA
  • 131
  • 2
1

I use another CDN (CloudFront), and I have the same certicate on both the CDN and the origin. I assume Akamai also forwards the HOST header to the origin, so as long as this matches with your certificate, you should be fine.

I assume you need to setup things like this:

  • Make sure that the DNS record that points to your CDN matches the certificate you have configured in Akamai.
  • Akamai will forward the request to your origin, leaving the HOST header intact.
  • Your origin will verify the HOST header with the SSL certificate it has been configured with.
Jeroen Jacobs
  • 1,386
  • 3
  • 16
  • 25
  • 1
    So there should be no blocker from using the same certificate. But I'm still not sure why Akamai insists on their approach, could it be just making more money?! – MMSs Apr 14 '16 at 12:08
  • @MMSs It's likely they just have an automated process for generating, provisioning, renewing, and deploying certificates. – ceejayoz Jan 10 '17 at 15:17
  • @ceejayoz you're right, I had several meetings with them since I asked this question, they say it's too difficult for them to let clients use their own certificate, because of the size of their network, and that why they do it on behalf of their clients. – MMSs Jan 10 '17 at 15:45
0

Akamai has a strange Certificate Provisioning System (CPS), it can be very messy. They won't allow you to upload a certificate to them. You can however work in reverse by creating the CSR in Akamai CPS (as a third party certificate), take that to your CA, complete in Akamai, then import that certificate to your origin.

Note: When completing the CSR, you have to make sure you get the order right or it will invalidate that request and you'll have to get another certificate.

Simon
  • 1